[Swan] Tunnel Going Down
Paul Wouters
paul at nohats.ca
Thu Oct 20 21:53:10 UTC 2016
Set rekey=yes ?
Don't set lefsubnet if and as lefg
Don't set leftsoureip without a real leftsubnet
Sent from my iPhone
> On Oct 20, 2016, at 16:26, Banana Man <bananasgorilla16 at gmail.com> wrote:
>
> Hi:
> I have a number of tunnels running well on a CentOS 7 machine with libreswan 3.15-5.el7_1. I added a new tunnel which I am having some issues with; the only real difference is that the new one is using ikev2. The config is:
>
> conn demo
> type=tunnel
> authby=secret
>
> left=10.0.0.3
> leftsubnet=10.0.0.3/255.255.255.255
> leftnexthop=123.45.67.4
> leftsourceip=10.0.0.3
>
> right=123.45.67.4
> rightsubnet=2123.45.67.198/255.255.255.255
> rightnexthop=10.0.0.3
> rightsourceip=123.45.67.198
>
> ikev2=insist
> ike=aes-sha1
> ikelifetime=86400s
> phase2alg=aes-256
> salifetime=28800s
> rekey=no
> pfs=no
> auto=start
>
> The other side is, I think, a Cisco ASA. The tunnel has failed sporadically and I see the following output from ipsec status when this happens:
>
> 000 #18146: "demo":500 STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_v2_RESPONDER_TIMEOUT in 77s; idle; import:respond to stranger
>
> I couldn't find a lot of information on this error. Can anyone point out anything I can do here? Is there a way to automatically recover from an event like this? It works fine (for a while) with a --replace & --up.
>
> Thanks,
> Bananas
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161020/e33d7441/attachment.html>
More information about the Swan
mailing list